Skip navigation
3852 Views 5 Replies Latest reply: Jun 21, 2012 2:43 PM by Mike Pomraning RSS
Kelvin Davis Lurker 3 posts since
Dec 28, 2011
Currently Being Moderated

Dec 28, 2011 2:02 AM

SSL certificate

Hey,

 

Would anybody be able to tell us why our SSL certificate is failing PCI scans? Qualys PCI reports: "Server Supports Weak Encryption Vulnerability (QID: 38140)"

 

However when I check mail.aqualisa.co.uk (redirects to https) on www.digicert.com/help it reports "Signature algorithm = SHA1 + RSA (good)"

 

Any pointers would be very helpful thank you.

 

Regards,

Kelvin

  • Keith Shaw Level 1 12 posts since
    Jun 28, 2010
    Currently Being Moderated
    Dec 29, 2011 8:27 PM (in response to Kelvin Davis)
    Re: SSL certificate

    To fix this vulnerability you will need to change your server configuration to not allow connections with weak encryption.  Try running an SSL Server Test to find out what protocols and cipher suites your server supports.

     

    Cheers,

    Keith

    • Tuan Phan Level 1 34 posts since
      Nov 23, 2011
      Currently Being Moderated
      Jun 21, 2012 11:15 AM (in response to Keith Shaw)
      SSL certificate

      The tool that you provided to do the SSL analysis is for external domains. Do you have tool to that same tool for internal use?

      • Mike Pomraning Level 1 29 posts since
        Oct 12, 2010
        Currently Being Moderated
        Jun 21, 2012 1:38 PM (in response to Tuan Phan)
        SSL certificate

        Tuan,

         

        A VM subscription can provide almost all of the functionality of SSL Labs' external scans, as described here:  https://community.qualys.com/thread/10275

         

        -Mike

        • Tuan Phan Level 1 34 posts since
          Nov 23, 2011
          Currently Being Moderated
          Jun 21, 2012 1:57 PM (in response to Mike Pomraning)
          SSL certificate

          Mike,

           

          We do have a VM subscription and we could not find a way to resolve the > SSL Server Supports Weak Encryption Vulnerability (QID: 38140). We don’t know what the scan is looking for nor do we have any experience in setting those cipher parameters. We are not seeking for Certification checking nor checking to see of any of them expired\soon to expire. The SSL Server Test is good for external, but what about internal? overall what is the solution to remediate QID 38140. Thank you

          • Mike Pomraning Level 1 29 posts since
            Oct 12, 2010
            Currently Being Moderated
            Jun 21, 2012 2:43 PM (in response to Tuan Phan)
            SSL certificate

            Tuan,

             

            The KnowledgeBase entry for QID 38140 under the Threat section identifies LOW grade ciphers as those with a small key length.  Under the Solution section it proposes some common configuration options for Apache and Tomcat, and provides links for IIS configuration.

             

            (If memory serves, the UNIX command-line client openssl can also be asked to produce a list of LOW grade ciphers as follows: openssl ciphers LOW.  Any ciphers that appear there probably ought be suppressed from your servers.  Now, your openssl build might not have exactly the same cipher list as the current scanner, but it's a place to start if the KnowledgeBase suggestions aren't appropriate.)

             

            -Mike

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points